Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Jun 2014 18:54:21 +0100
From: Nick Boyce <>
Subject: Re: KMail/KIO POP3 SSL MITM Flaw

On 18 June 2014 21:07, Richard Moore <> wrote:

> Title:          KMail/KIO POP3 SSL MITM Flaw
> CVE:            CVE-2014-3494
> Versions:       kdelibs 4.10.95 to 4.13.2
> The POP3 kioslave used by kmail will accept invalid
> certificates without presenting a dialog to the user due
> a bug that leads to an inability to display the dialog
> combined with an error in the way the result is checked.
> This flaw allows an active attacker to perform MITM
> attacks against the ioslave which could result in the
> leakage of sensitive data such as the authentication
> details and the contents of emails.

Is there anything you can add as to how long this bug has been in the
codebase ?  In particular, is the Kmail in Debian 'oldstable' systems
affected (squeeze/kdelibs 4.4.5), or that in Debian 'stable' systems
(wheezy/kdelibs 4.8.4) ?

I'm not sure whether to interpret the 'Versions' line in the advisory
as "bug was introduced at kdelibs 4.10.95" - and there is no further
information on the CVE at Mitre [1], or in the Debian bug [2]; there
appears to be no relevant bug at (a search for the CVE,
or any of the keywords "kdelibs pop3 ssl kioslave" returns nothing

There is an IBM ISS report [3] which implies the bug affects at least
kdelibs 4.6.x ....




Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ